Whither cyber security for the distribution system? Is it in fact the most vulnerable part of the grid? And would voluntary measures be enough or should mandated approaches be enforced, top-down? We offer a slew of questions and seek the answers.
I try to keep Friday's columns on the lighter side but, failing that, I'll keep it brief.
First, we'll bring you more on the Utility Analytics Week just past. But I'm also looking ahead.
Cyber security is an issue that won't go away and that's not a bad thing.
Rumblings have it that cyber security measures may be mandated for the distribution system, which comprises the bulk of physical grid assets and, due to distributed intelligence, the most currently vulnerable attack vectors.
Whether cyber security "mandates" (admittedly a loaded word) will come in the form of legislation, regulation or executive orders remains uncertain, but the likelihood of legislation in the current political gridlock in Washington certainly raises the prospects of the other two possibilities. And news accounts and leaks point to the potential for executive orders to be issued.
Coincidentally (or not), it's an election year. Does that really matter? Should it? Does cyber security really fit into the perennial argument about what constitutes an appropriate level of top-down oversight versus excessive regulation?
The possibility of mandated cyber security measures for the distribution system raises many questions and, I'd suggest, requires utility executives, regulators and other stakeholders to think clearly and responsibly about what is in the best interest of a) the country, b) their local stakeholders and c) their organization. What level of preparation is appropriate and how does the cost/benefit ratio stack up? What will regulators do about cost recovery? What's the difference between compliance with mandates and actual security precautions tailored by and for a particular utility?
Assessing a threat that, by and large, hasn't yet come home to roost is difficult enough. Next week we'll explore that topic more fully. The list of interested parties, to my mind, reads: nation/states, international criminal organizations, state-less terrorists, domestic terrorists, hack-tivists and misguided/disgruntled employees. What are the motivations and constraints on each of these parties?
Mandates often come in the form of over-reach and over-reaction to major events. In lieu of a major cyber security event for the nation's 3,000 utilities, would mandates be appropriate? Conversely, what is the yardstick for progress being applied to utilities, if such work is in fact moving ahead apace, but simply remains largely behind a veil of secrecy?
What are the drivers for cyber security at various levels of government, from the federal level to the states to the cities, towns and co-op boards that have jurisdiction over investor-owned utilities, municipal utilities and cooperative utilities? What are the possible actions and consequences, intended and otherwise, for cyber security measures at each of these levels?
What steps have already taken place at each level?
And if the power industry and its stakeholders seek to forestall any top-down, one-size-fits-all mandates for cyber security in the nation's distribution systems, what do they propose should take its place?
We always hear advocates recite the mantra of "bake it in, don't bolt it on." What is the status of utility efforts to demand this approach from their vendors?
Finally, what are the real constraints at achieving adequate cyber security? Are they financial, human, technical, legal or regulatory?